Getting Ready for Australia’s NDB

Australia’s Notifiable Data Breach regime is just weeks away. Are you ready?

It may seem like there is a lot of time until Australia’s Notifiable Data Breach (NDB) regime kicks off – but there isn’t. As the festive season leads you to one Christmas party after another, remember that the clock is ticking down to February 22 – and with just weeks to go, there’s not much time left to get compliant.

You wouldn’t be alone: survey after survey has shown that many businesses already accept that they won’t meet the requirements of the NDB and the European Union’s General Data Protection Regulation (GDPR), which takes effect in May 2018 and will complete the one-two punch for Australian businesses facing an unprecedented level of data regulation.

Just 59 percent of respondents to Gemalto’s Data Security Confidence Index 2017 said they believe all of their sensitive data is secure. Yet 55 percent of respondents admitted they don’t know where all of their sensitive data is stored – and 53 percent admit they won’t meet the GDPR deadline.

With weeks to go until the Office of the Australian Information Commissioner (OAIC) declares open season on data breaches – and the companies that allow them to occur – there are no magic fixes to get everybody over the line. Many companies will be working on borrowed time – but by taking a multi-pronged approach to securing your data, you can ensure that you at least know what should be on your to-do list for 2018.

The security foundation.

In general, businesses need three key capabilities to provide the level of data security, management, and visibility they need to comply with the philosophies behind both the NDB and GDPR.

The first is data stewardship – having the tools to know where all your data is, how important it is, how it might be stolen, how to prevent it leaving the organization, and what might happen when it does anyway. Data leak prevention (DLP) tools are readily available but their job has become harder than ever, what with data regularly floating between desktop, laptop, and mobile devices as well as into and out of cloud services that you probably don’t control. Take the time to know your data and triage it based on its business criticality.

Another core defense against a breach is making sure your data is encrypted whenever it’s at rest, and particularly when it’s moving between systems. Gemalto’s figures suggested that just 8 percent of breached data was encrypted – highlighting the poor practices of companies that don’t seem to realize that encryption offers your only hope of protecting data once it’s breached.

The third key element of a strong data defense is incident crisis management. This particularly relies on elements such as security information and event management (SIEM) tools to improve visibility; in the unfortunate event of a breach, they will be essential to meet your reporting requirements by helping decipher which data was compromised and who it affects.

Closing the gaps.

If you haven’t implemented such core systems yet, you may struggle to do so with just weeks to go. Such time pressures are one of the reasons many companies are turning to cloud-based security solutions, which can help you demonstrate your good-faith efforts to meet NDB and GDPR obligations in the short timeframe remaining.

Whether or not you’re going to make the deadline, it’s important to use the transition to the NDB and GDPR regimes as an opportunity to review all of your data holdings – then make some objective decisions about how you’re going to protect it all. Email is an obvious target for prioritization given its prominence in companies’ everyday operations and its common role as a filing system for corporate secrets.

This process also includes remediation of the human risk that every organization deals with every day. This includes user training – users need to be on board with efforts to improve data protection strategies if those strategies are to succeed – as well as organizational changes such as the integration of security into development and DevOps processes, and the appointment of a data protection officer (DPO).

A DPO works with IT-security and business stakeholders to coordinate the protection of data as it flows through the business. By positioning such a person between a company’s two key operational spheres, the DPO can drive organizational and technological change that satisfies the business requirements laid down in the incoming legislation.

However big the gaps in your information-protection strategy, they aren’t going to close by themselves. Be honest with yourself about your progress towards meeting the requirements that the NDB imposes – which are all based around the ability to spot and deal with a breach in the first place – and make sure you are on the front foot as the new year rolls in.

Ultimately, even the most data-disciplined organizations will find that obligations around breach disclosure will force people and processes to change. It’s not the only task ahead of you, but implementing the right technology now will go a long way towards giving you a solid foundation for compliance – and help make sure that you’re not the first company the OAIC moves to make an example of, come next year.

Many organizations will be in for a few shocks over the coming months. However, they will be good shocks: in the long run, you’ll get past them – and your security practices will be in a better place moving into the future.

Want more great articles like this?Subscribe to our blog.

Get all the latest news, tips and articles delivered right to your inbox